MS will build data centres, then hand the keys over to a local "data trustee."

Microsoft has launched a new kind of cloud service in Germany where user data is controlled by a "data trustee" operating under German law. Microsoft is unable to access user data without the permission of the data trustee or the customer, even if it is instructed to do so by the US government. If permission is granted by the data trustee, Microsoft will still only do so under its supervision. The idea behind the new data trustee-based cloud services is presumably to address European concerns that the NSA and other US agencies could demand access to any user data stored using Microsoft's current cloud services.

According to Microsoft's press release, the data trustee for the new German cloud offerings is T-Systems, a subsidiary of the giant telecom company Deutsche Telekom. Timotheus Höttges, Deutsche Telekom's CEO, is quoted as saying: "Microsoft is pioneering a new, unique, solution for customers in Germany and Europe. Now, customers who want local control of their data combined with Microsoft’s cloud services have a new option, and I anticipate it will be rapidly adopted."

Two new data centres are being built: one in Frankfurt am Main, the other in Magdeburg. Both will offer Azure, Office 365, and the Dynamics CRM Online cloud services from the second half of 2016. The two locations will be connected by a private network, separate from the Internet, in order to ensure that data never leaves Germany as it moves between them—for example, to provide automatic backups. Microsoft says the new offering is aimed particularly at European companies and organisations working with sensitive data, such as those in the finance and health sectors.

It isn't entirely clear how these new data centres will actually be operated. It sounds like Microsoft will build the data centre and set things up, and then hand the keys to the data trustee. Microsoft says that its staff will not have independent access to the data held there.

Further Reading

As Ars reported yesterday, Microsoft is spending £1.3 billion to expand its network of data centres in Europe, and has 24 cloud regions around the world. Today's announcement is significant, because it shows the company going beyond simply installing servers locally, to handing operational control to a local company subject to local laws.

This could offer a solution to the dilemma faced by Microsoft and other US companies when they are ordered to hand over data located overseas, particularly in the EU. If they don't comply, they will break US laws; if they do comply, they will break EU data protection laws. That's a real issue for Microsoft, which is currently fighting attempts by the US authorities to obtain customer e-mails stored in Ireland. Although the NSA could doubtless still resort to other methods in order to obtain data held overseas, that is true for any cloud-based service, located anywhere in the world. If Microsoft's new approach proves popular, it is likely to be imitated by other US companies facing the same problems with their services in the EU.

Promoted Comments

What is to stop MS handling govt requests as normal user activity (editing a spreadsheet)? Then simply handing a copy made in this process to the government.? i.e., they don't need to request the trustee to give the government access, they can simply process govt requests as if they were normal user-related activity.

I think you're trying to say that MS could still access the data by logging in as a user that owned it? Well that's not necessarily the case and there would be better ways of getting data anyway, but you're missing the point that MS don't want to do this. They're currently fighting a very expensive battle against the US government to not be forced to do this. Being seen as a proxy if the US govt. harms their image and international business quite a lot. They actually want to not have this access. Less hassle for them and more trusted by their customers.

If that is not the case, then I am guessing the US will amend its laws to make it illegal for a US entity (or any entity wishing to trade in the US) to place itself at arms length from data it processes for users.

Microsoft Ireland is already a separate legal entity. It isn't subject to US laws. The issue is that Microsoft the US company has access to data held by the Ireland entity and the US government is interpreting its laws as this meaning it has to hand over someone else's data. This announcement by MS isn't about creating new legal entities - they can already do that. It's about stopping themselves from having access so that the US govt. can't force them to hand over European data.